CVE-2026-47137

A flaw was found in vm2, an open-source virtual machine VM sandbox for Node.js. A remote attacker could bypass a security check designed to prevent the combination of nested environments and disabled module loading. This bypass occurs because a strict equality check for the require option can be...

CVE-2026-47137

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx CVE-2023-37903 introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality options.require === false, which is...

CVE-2026-47208

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.4...

CVE-2026-47140

CVE-2026-47140 - vm2 NodeVM denylist bypass : The vm2 sandbox (NodeVM) before version 3.11.4 did not block certain host-access primitives: processing modules like process and inspector/promises could be required from sandboxed code to bypass restrictions and execute code in the host process. Root...

Sandbox Escape

vm2 is vulnerable to Sandbox Escape. The vulnerability is due to incomplete protection of dangerous cross-realm symbols in setup-sandbox.js and missing validation in the bridge's set, defineProperty, and deleteProperty traps. This allows sandboxed code to obtain and manipulate real cross-realm...

CVE-2026-43997

A flaw was found in vm2 before 3.11.0, a Node.js sandbox library. Sandboxed code can obtain the host Object e.g. via HostObject.getOwnPropertySymbols and Symbolnodejs.util.inspect.custom, bypassing isolation and enabling arbitrary code execution on the host...

CVE-2026-44008

A flaw was found in vm2 before 3.11.2. The neutralizeArraySpeciesBatch method can invoke host-side getters on array prototypes, exposing host objects and the host Function into the sandbox for escape and arbitrary command execution. Fixed in 3.11.2...

CVE-2026-44006

A flaw was found in vm2 before 3.11.0. Sandboxed code can reach BaseHandler.getPrototypeOf to obtain arbitrary prototypes, enabling sandbox escape and arbitrary code execution. Fixed in 3.11.0...

Incomplete List of Disallowed Inputs

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the NodeVM builtin allowlist in lib/builtin.js. An attacker can read host-process state by...

@aiconnect/codelets-runner (>=0.1.0 <=0.2.0), @cairncms/api (>=1.0.0-beta.1 <=1.0.0-beta.4) +21 more potentially affected by CVE-2026-47141 via vm2 (>=3.0.0 <=3.11.3)

vm2 NPM version =3.0.0, =0.1.0, =1.0.0-beta.1, =3.0.46, =0.1.0, =1.1.15, =1.27.8, =1.0.0-beta.1, =1.1.0, =0.2.0, =0.1.64, =0.1.61, =1.66.16, =1.66.16, =1.72.4 and more Source cves: CVE-2026-47141 Source advisory: SNYK:JS-VM2-17111339...

@aiconnect/codelets-runner (>=0.1.0 <=0.2.0), @cairncms/api (>=1.0.0-beta.1 <=1.0.0-beta.4) +21 more potentially affected by CVE-2026-47139 via vm2 (>=3.0.0 <=3.11.3)

vm2 NPM version =3.0.0, =0.1.0, =1.0.0-beta.1, =3.0.46, =0.1.0, =1.1.15, =1.27.8, =1.0.0-beta.1, =1.1.0, =0.2.0, =0.1.64, =0.1.61, =1.66.16, =1.66.16, =1.72.4 and more Source cves: CVE-2026-47139 Source advisory: SNYK:JS-VM2-17111337...

org.webjars.npm:degenerator (=4.0.4), org.webjars.npm:pac-resolver (=6.0.2) +1 more potentially affected by CVE-2026-47139 via org.webjars.npm:vm2 (=3.9.19)

org.webjars.npm:vm2 MAVEN version =3.9.19 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:vm2 and may be impacted: - org.webjars.npm:degenerator =4.0.4 - org.webjars.npm:pac-resolver =6.0.2 - org.webjars.npm:rocket.chatapps-engine =1.35...

org.webjars.npm:degenerator (=4.0.4), org.webjars.npm:pac-resolver (=6.0.2) +1 more potentially affected by CVE-2026-47140 via org.webjars.npm:vm2 (=3.9.19)

org.webjars.npm:vm2 MAVEN version =3.9.19 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:vm2 and may be impacted: - org.webjars.npm:degenerator =4.0.4 - org.webjars.npm:pac-resolver =6.0.2 - org.webjars.npm:rocket.chatapps-engine =1.35...

@aiconnect/codelets-runner (>=0.1.0 <=0.2.0), @cairncms/api (>=1.0.0-beta.1 <=1.0.0-beta.4) +21 more potentially affected by CVE-2026-47140 via vm2 (>=3.0.0 <=3.11.3)

vm2 NPM version =3.0.0, =0.1.0, =1.0.0-beta.1, =3.0.46, =0.1.0, =1.1.15, =1.27.8, =1.0.0-beta.1, =1.1.0, =0.2.0, =0.1.64, =0.1.61, =1.66.16, =1.66.16, =1.72.4 and more Source cves: CVE-2026-47140 Source advisory: SNYK:JS-VM2-17111172...

Incomplete List of Disallowed Inputs

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the builtin allowlist handling in lib/builtin.js. An attacker can reach host code by requiring process and...

@aiconnect/codelets-runner (>=0.1.0 <=0.2.0), @cairncms/api (>=1.0.0-beta.1 <=1.0.0-beta.4) +21 more potentially affected by CVE-2026-47210 via vm2 (>=3.0.0 <=3.11.3)

vm2 NPM version =3.0.0, =0.1.0, =1.0.0-beta.1, =3.0.46, =0.1.0, =1.1.15, =1.27.8, =1.0.0-beta.1, =1.1.0, =0.2.0, =0.1.64, =0.1.61, =1.66.16, =1.66.16, =1.72.4 and more Source cves: CVE-2026-47210 Source advisory: SNYK:JS-VM2-17111321...

Improper Control of Dynamically-Managed Code Resources

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources through the WebAssembly.promising and WebAssembly.Suspending JSPI APIs in...

@aiconnect/codelets-runner (>=0.1.0 <=0.2.0), @cairncms/api (>=1.0.0-beta.1 <=1.0.0-beta.4) +21 more potentially affected by CVE-2026-47137 via vm2 (>=3.0.0 <=3.11.3)

vm2 NPM version =3.0.0, =0.1.0, =1.0.0-beta.1, =3.0.46, =0.1.0, =1.1.15, =1.27.8, =1.0.0-beta.1, =1.1.0, =0.2.0, =0.1.64, =0.1.61, =1.66.16, =1.66.16, =1.72.4 and more Source cves: CVE-2026-47137 Source advisory: SNYK:JS-VM2-17111317...

org.webjars.npm:degenerator (=4.0.4), org.webjars.npm:pac-resolver (=6.0.2) +1 more potentially affected by CVE-2026-47137 via org.webjars.npm:vm2 (=3.9.19)

org.webjars.npm:vm2 MAVEN version =3.9.19 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:vm2 and may be impacted: - org.webjars.npm:degenerator =4.0.4 - org.webjars.npm:pac-resolver =6.0.2 - org.webjars.npm:rocket.chatapps-engine =1.35...

vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE

Summary The fix for GHSA-8hg8-63c5-gwmx CVE-2023-37903 introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality options.require === false, which is trivially bypassed by omitting the require option entirely. When...